Enumeration

Nmap

Initial nmap scan revealed SSH and HTTP ports were open.

00nmap

Web Enumeration

Website was Simple PHP Photo Gallery 0.8.

01web

I then searched for some exploits and found there was LFI and RFI vulnerabilities for version 0.7. Nevertheless, I wanted to try it.

site.com/image.php?img= [ PAYLOAD ]

At first I applied directory brute forcing to be sure there are image.php or other endpoints.

02imagephp

Exploitation

LFI and RFI

Then I tried LFI and it worked. I saw there was a user named michael.

03LFI

Then I tried RFI and it also worked.

04RFI

So I downloaded pentestmonkey/php-reverse-shell and updated port and ip values. I also saved it as txt file.

05updated

Then I visited the website and got reverse shell.

06revshell

db.php

There was a file named db.php under web root. I checked it and found mysql root password. And I logged in to mysql.

07mysql

Then I enumerated usernames and found base64 encoded user passwords.

08db

Then I decoded it and logged in to SSH as michael.

09local

Privilege Escalation

writeable passwd

I executed linpeas.sh and found that I could overwrite /etc/passwd.

10passwd

So I executed below command to add a user r00t:password. And I switched to that user and read root flag.

pw=$(openssl passwd password); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> /etc/passwd

11flag

<
Previous Post
PayDay - Proving Grounds Practice
>
Next Post
Medjed - Proving Grounds Practice